1. Field of the Invention
This invention relates generally to a system and method for securely accessing or unlocking an electronic control unit (ECU) on a vehicle and, more particularly, to a system and method for securely accessing or unlocking an ECU on a vehicle, where the system includes a remote secure server that receives an ECU identification value and a security challenge from the ECU and where the server uses the ECU identification value to identify an ECU security key value for the ECU to provide a response to the challenge.
2. Discussion of the Related Art
Many modern vehicles include electronic control units (ECUs), or controllers, which control the operation of vehicle systems, such as the powertrain, climate control system, infotainment system, body systems, chassis systems, and others. Such controllers require special purpose-designed software in order to perform the control functions. With the increasing number and complexity of these controllers, and the growing threat posed by developers of malicious software, it is more important than ever to authenticate the source and content of software files that are installed on automotive controllers. The consequences of using software which is not properly validated, or worse, maliciously-designed, in a vehicle controller include unintended behavior of the vehicle or its systems, loss of anti-theft features on the vehicle, potential tampering with components such as the odometer, and loss of other vehicle features and functions.
The ECUs on a vehicle must sometimes be serviced or updated because of a various reasons, where a service facility would need to gain access to the ECU to either download diagnostic trouble codes or other faults, reprogram the ECU, or perform some other operation to address a vehicle problem. However, it is important for security purposes that only authorized personal be able to access an ECU on a vehicle to perform service operations because an unauthorized user may perform malicious or improper activities that adversely affect the vehicle operation. In other words, it is important that unauthorized users cannot gain access to the vehicle ECU to program the ECU with software that may be malicious or otherwise damaging to the vehicle. Therefore, having secure techniques for unlocking an ECU for programming, service and other operations is necessary.
A vehicle ECU can be unlocked for security sensitive diagnostic operations using some type of challenge/response mechanism, sometimes referred to as a “seed and key,” where the seed represents the challenge and the key represents the response. For example, a service tool that is attempting to gain access to an ECU will cause the ECU to issue a challenge message, such as some type of question, that is preprogrammed on the ECU, and the tool must then answer the challenge with the proper response, also preprogrammed on the ECU, that if answered correctly will cause the ECU to allow the tool to gain access to it. Diagnostic standards identify how this process is carried out. For example, ISO 14229 defines a security access service that allows a device to be unlocked using a challenge/response mechanism.
Challenge/response mechanisms of the type referred to above typically fall into two categories. The first category includes fixed challenges, where the challenge, and therefore the expected response, is fixed. In such an implementation, the ECU simply stores the challenge and response, where it is not necessary for the device to have the ability itself to compute the response to a given challenge. One disadvantage of such systems is that once the response is known, it is known for all time, where the same response that unlocks an ECU today would unlock the same ECU tomorrow. Thus, the security provided by this type of challenge/response mechanism is limited.
The second category includes variable responses, where each ECU unlock operation causes a different challenge to be issued by the ECU. This is often implemented by giving the device to be unlocked the capability of computing a response to a given challenge. In many implementations this takes the form of a secret algorithm that allows the computation of a response for a given challenge. This has the benefit of preventing a response from being used at a later point in time, but has the disadvantage that the security of the system lies in the secrecy of the algorithm. If all devices use the same algorithm, exposure of the algorithm, which must be embedded in every ECU, reduces the overall security of the system.